[dnssec-deployment] DNSSEC and certificates.
Ed.Lewis at neustar.biz
Mon Jan 24 14:14:46 EST 2005
At 10:39 -0800 1/24/05, Doug Barton wrote:
>Jakob Schlyter wrote:
>> On Sat, 22 Jan 2005, Doug Barton wrote:
>>> The attack vector I'm most concerned about is the one where the
>>> attacker obtains a valid certificate, and then spoofs DNS to direct
>>> traffic to his bogus site. There is no way for the average user to
>>> protect themselves against this attack.
>> but there is notting we do against this attack unless we change the basic
>> principles of X.509 as we know it.
>Nothing can be done in the X.509 world of course, but that's precisely what
>makes this attack so troublesome.
Truthfully, no one can prevent any attack. But for the above
scenario, it can be mitigated through the use of revocation lists.
(Okay, I'll wait for the chortling to die down.)
In this instance, the DNS administrator would have to monitor a X.509
revocation list for each certificate used to authenticate a
transaction request, and undo the modification it caused if the
revocation was for malicious conduct.
This sounds fine in theory, I am of the impression that it isn't practical.
>> DNSSEC will of course help here, but the attacker can redirect traffic in
>> various other ways.
>Yes, but the combination of DNSSEC + X.509 makes any other attack vector
>almost prohibitively expensive.
There are routing layer attacks, and attacks like the one mentioned
above which may have started with a "social attack" - i.e., bribing
someone to get the certificate. (All this is well beyond the scope
of this group.)
>> but why try to obtain a valid cert when the user will just accept
>> whatever pops up on the screen?
>I don't share the same cynical view. I think that this problem is bad, but I
>don't think it's as bad as it's being made out to be. I'm also thinking of
>automated systems that run without user interaction, such as windows update,
If you want to make the pop-up have meaning, you have to present the
user with enough *information* (not *data*) to make an worthwhile
decision. E.g., a green pane defaults to "go ahead" a red pane
defaults to "stop" - more than "I got this untrusted blob" and less
than "I got these bytes as an untrusted key: 0x2d9e..." I'm sure
this can be balanced out when the time comes.
Edward Lewis +1-571-434-5468
"A noble spirit embiggens the smallest man." - Jebediah Springfield
More information about the Dnssec-deployment